[z/OS]

System Authorization Facility user registries

System Authorization Facility (SAF) user registries are used for several purposes in WebSphere® Application Server for z/OS®.

SAF-based user registries are used to: Refer to Selecting a registry or repository for more information

Using a local operating system or non-local operating system registry implementation, the WebSphere Application Server for z/OS authentication mechanism can use SAF interfaces. SAF interfaces are defined by MVS to enable applications to use system authorization services or user registries to control access to resources such as data sets and MVS commands. SAF either processes security authorization requests directly or works with RACF®, or other security products, to process the requests. Note that a local operating system SAF user registry is not a centralized registry like Lightweight Directory Access Protocol (LDAP), but it is a centralized registry within a sysplex.

Note: When a non-local operating system registry is used, WebSphere Application Server for z/OS uses the non-local operating system registry for authentication but still uses the SAF interface to control access to system resources.

With WebSphere Application Server for z/OS, SAF user registries provide digital certificate to user ID mappings using the Resource Access Control Facility (RACF) RACDCERT command. For more information on the RACDCERT command, refer to z/OS Security Server RACF Command Language Reference (SA22-7687-05), available at http://www.ibm.com/servers/eserver/zseries/zos/bkserv/r5pdf/secserv.html.

WebSphere Application Server for z/OS localOS User Registry (SAF User Registry) implementation sets the registry realm name from the SAFDFLT profile in the REALM class when the SAFDFLT profile is defined, whether the REALM class is active or inactive. The realm name is specified as the APPLDATA property of the SAFDFLT profile. If the realm name cannot be obtained from the OS security product (such as RACF), the value specified for the protocol_iiop_daemon_listenIPAddress property is used as the realm name. For example, the value of protocol_iiop_daemon_listenIPAddress is used if the SAFDFLT profile or APPLDATA property is not defined.

Avoid trouble Avoid trouble: Because of PE APAR, PM76462, in Version 8.0.0.7, WebSphere for z/OS localOS User Registry (SAF User Registry) implementation described in the preceding paragraph only occurs when the REALM class is active. This implementation error was corrected in Version 8.0.0.8.gotcha
Before any realm name changes take effect, the entire cell, including the Daemon Address Space, must be recycled. There is a UNIX System Services restriction, however. If you list user and group information, only those users with an OMVS segment (where the user and group information is stored) are shown. Refer to Summary of controls for more information.
Avoid trouble Avoid trouble: If you list the groups or users in the user registry for a specific security realm, resource name, or domain name, you must ensure that you add an OMVS segment (where the user and group information is stored) to any group or user that you want to use with WebSphere Application Server. In addition, the default group for that user must have an OMVS segment to list that user in the administrative console. Refer to gotcha
Note: The default and only implementation for a local operating system registry is SAF.

Refer to Selecting a registry or repository for general information about selecting user registries.




Subtopics
z/OS System Authorization Facility authorization
Related concepts
System Authorization Facility considerations for the operating system and application levels
Authorization technology
Related tasks
Selecting a registry or repository
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 6, 2014 8:11:25 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-mp&topic=csecsafuserreg
File name: csec_safuserreg.html